The adversaries from North Korea are deploying critical backdoors on the devices of targets by using trojanized versions of the PuTTY SSH client. Posing as a fake Amazon job application to put backdoors onto their devices.
It is an interesting element in this campaign that a trojanized version of the PuTTY and KiTTY SSH utilities has been used as a means of deploying a backdoor. While in this case, the PuTTY and KiTTY SSH utility is ‘AIRDRY.V2’.
The cybersecurity researchers at Mandiant have associated this campaign with the threat group known as ‘UNC4034’, and here below we have mentioned the other names of this group:-
In the latest activities carried out by the group, it appears that the campaign ‘Operation Dream Job’ is being continued. As part of this campaign, which has been running since June 2020, media companies are being targeted at this time.
Threat actors begin the attack by emailing their targets with a lucrative job offer from Amazon in an attempt to lure them into the attack.
In the next step, they will communicate through WhatsApp, where they will share a file containing the ISO image:-
Files that are included in the ISO are as follows:
A text file (“readme.txt”)An IP addressLogin credentialsA trojanized version of PuTTY (PuTTY.exe)
It is believed that the threat actors used the file name ‘Amazon-KiTTY[.]exe’ to impersonate the KiTTY SSH client. In regards to the discussion between threat actors and victims, it is not known what was discussed between them.
There was a